T7260 Remove last firewall group member. (#403)

RubenNL · omnom62 · web-flow · commit 29e8caf90706 · 2025-04-24T05:48:40.000+10:00
Co-authored-by: omnom62 &lt;75066712+omnom62@users.noreply.github.com&gt;
diff --git a/changelogs/fragments/T7260-remove-last-firewall-group-member.yaml b/changelogs/fragments/T7260-remove-last-firewall-group-member.yaml
@@ -0,0 +1,3 @@
+---
+bugfixes:
+  - vyos_firewall_global - Fix removing last member of a firewall group.
diff --git a/plugins/module_utils/network/vyos/config/firewall_global/firewall_global.py b/plugins/module_utils/network/vyos/config/firewall_global/firewall_global.py
@@ -373,6 +373,8 @@ def _render_grp_mem(self, attr, w, h, opr):
                                 )
                         elif not opr and key in l_set:
                             if key == "name" and self._is_grp_del(h, want, key):
+                                if commands[-1] == cmd + " " + want["name"] + " " + self._grp_type(attr):
+                                    commands.pop()
                                 commands.append(cmd + " " + want["name"])
                                 continue
                             if not (h and in_target_not_none(h, key)) and not self._is_grp_del(h, want, "name"):
@@ -435,6 +437,14 @@ def _render_ports_addrs(self, attr, w, h, opr, cmd, name, type):
                         + " "
                         + member[self._get_mem_type(type)],
                     )
+            elif not opr and not have:
+                commands.append(
+                    cmd
+                    + " "
+                    + name
+                    + " "
+                    + self._grp_type(type),
+                )
         return commands
 
     def _get_mem_type(self, group):
diff --git a/tests/unit/modules/network/vyos/fixtures/vyos_firewall_global_config.cfg b/tests/unit/modules/network/vyos/fixtures/vyos_firewall_global_config.cfg
@@ -2,6 +2,8 @@ set firewall group address-group RND-HOSTS address 192.0.2.1
 set firewall group address-group RND-HOSTS address 192.0.2.3
 set firewall group address-group RND-HOSTS address 192.0.2.5
 set firewall group address-group RND-HOSTS description 'This group has the Management hosts address lists'
+set firewall group address-group DELETE-HOSTS address 1.2.3.4
+set firewall group address-group DELETE-HOSTS description 'The (single) last address from this group will be deleted in the tests'
 set firewall group ipv6-address-group LOCAL-v6 address ::1
 set firewall group ipv6-address-group LOCAL-v6 address fdec:2503:89d6:59b3::1
 set firewall group ipv6-address-group LOCAL-v6 description 'This group has the hosts address lists of this machine'
diff --git a/tests/unit/modules/network/vyos/fixtures/vyos_firewall_global_config_v14.cfg b/tests/unit/modules/network/vyos/fixtures/vyos_firewall_global_config_v14.cfg
@@ -2,6 +2,8 @@ set firewall group address-group RND-HOSTS address 192.0.2.1
 set firewall group address-group RND-HOSTS address 192.0.2.3
 set firewall group address-group RND-HOSTS address 192.0.2.5
 set firewall group address-group RND-HOSTS description 'This group has the Management hosts address lists'
+set firewall group address-group DELETE-HOSTS address 1.2.3.4
+set firewall group address-group DELETE-HOSTS description 'The (single) last address from this group will be deleted in the tests'
 set firewall group ipv6-address-group LOCAL-v6 address ::1
 set firewall group ipv6-address-group LOCAL-v6 address fdec:2503:89d6:59b3::1
 set firewall group ipv6-address-group LOCAL-v6 description 'This group has the hosts address lists of this machine'
diff --git a/tests/unit/modules/network/vyos/test_vyos_firewall_global.py b/tests/unit/modules/network/vyos/test_vyos_firewall_global.py
@@ -268,6 +268,12 @@ def test_vyos_firewall_global_set_01_replaced(self):
                                     dict(address="192.0.2.9"),
                                 ],
                             ),
+                            dict(
+                                afi="ipv4",
+                                name="DELETE-HOSTS",
+                                description="The (single) last address from this group will be deleted in the tests",
+                                # No members here
+                            ),
                             dict(
                                 afi="ipv6",
                                 name="LOCAL-v6",
@@ -309,6 +315,7 @@ def test_vyos_firewall_global_set_01_replaced(self):
             "delete firewall send-redirects",
             "delete firewall group address-group RND-HOSTS address 192.0.2.3",
             "delete firewall group address-group RND-HOSTS address 192.0.2.5",
+            "delete firewall group address-group DELETE-HOSTS address",
             "set firewall group address-group RND-HOSTS address 192.0.2.7",
             "set firewall group address-group RND-HOSTS address 192.0.2.9",
             "delete firewall group network-group RND description",
@@ -376,6 +383,7 @@ def test_vyos_firewall_global_set_02_replaced(self):
             ),
         )
         commands = [
+            "delete firewall group address-group DELETE-HOSTS",
             "delete firewall group address-group RND-HOSTS address 192.0.2.3",
             "delete firewall group address-group RND-HOSTS address 192.0.2.5",
             "delete firewall ipv6-src-route",
@@ -411,6 +419,14 @@ def test_vyos_firewall_global_set_01_replaced_idem(self):
                                     dict(address="192.0.2.5"),
                                 ],
                             ),
+                            dict(
+                                afi="ipv4",
+                                name="DELETE-HOSTS",
+                                description="The (single) last address from this group will be deleted in the tests",
+                                members=[
+                                    dict(address='1.2.3.4'),
+                                ]
+                            ),
                             dict(
                                 afi="ipv6",
                                 name="LOCAL-v6",
diff --git a/tests/unit/modules/network/vyos/test_vyos_firewall_global14.py b/tests/unit/modules/network/vyos/test_vyos_firewall_global14.py
@@ -271,6 +271,12 @@ def test_vyos_firewall_global_set_01_replaced(self):
                                     dict(address="192.0.2.9"),
                                 ],
                             ),
+                            dict(
+                                afi="ipv4",
+                                name="DELETE-HOSTS",
+                                description="The (single) last address from this group will be deleted in the tests",
+                                # No members here
+                            ),
                             dict(
                                 afi="ipv6",
                                 name="LOCAL-v6",
@@ -310,6 +316,7 @@ def test_vyos_firewall_global_set_01_replaced(self):
         commands = [
             "delete firewall group address-group RND-HOSTS address 192.0.2.3",
             "delete firewall group address-group RND-HOSTS address 192.0.2.5",
+            "delete firewall group address-group DELETE-HOSTS address",
             "delete firewall global-options all-ping",
             "delete firewall global-options state-policy related",
             "delete firewall global-options ipv6-src-route",
@@ -349,6 +356,14 @@ def test_vyos_firewall_global_set_01_replaced_idem(self):
                                     dict(address="192.0.2.5"),
                                 ],
                             ),
+                            dict(
+                                afi="ipv4",
+                                name="DELETE-HOSTS",
+                                description="The (single) last address from this group will be deleted in the tests",
+                                members=[
+                                    dict(address='1.2.3.4'),
+                                ]
+                            ),
                             dict(
                                 afi="ipv6",
                                 name="LOCAL-v6",
@@ -451,6 +466,7 @@ def test_vyos_firewall_global_set_02_replaced(self):
             "delete firewall global-options send-redirects",
             "set firewall global-options state-policy related action 'drop'",
             "delete firewall global-options state-policy related log-level",
+            "delete firewall group address-group DELETE-HOSTS",
             "set firewall global-options state-policy invalid action 'reject'",
             "set firewall group address-group RND-HOSTS address 192.0.2.7",
             "set firewall group address-group RND-HOSTS address 192.0.2.9",

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+---`
	`2`	`+bugfixes:`
	`3`	`+ - vyos_firewall_global - Fix removing last member of a firewall group.`